A year has passed since the European Commission published its proposals for the first EU Cybersecurity Strategy and its accompanying Network and Information Security (NIS) Directive Since then a lot has happened in the cybersecurity discourse. The disclosures over alleged government snooping have sparked concern, and in some cases outrage, over the size, scope and character of government surveillance programs. Microsoft, along with other ICT companies announced significant technical, legal and transparency measures to enhance customer protections. The shifting threat model has influenced the perception of cyber threats and reshaped the public debate. At the recently held 50th Munich Security Conference cybersecurity was the topic of the opening panel, further evidencing how questions of security, privacy and transparency in cyberspace have become key public policy issues of our time.
The European Commission’s initiatives’ first anniversary therefore represents a timely opportunity to look back and assess the progress made so far. Global developments have made it even clearer that the Commission proposals needed to be considered contextually and not in isolation. Draft legislation on processing of personal data and free movement of such data, as discussed within the framework of the General Data Protection Regulation, as well as the draft regulation on electronic identification and trust services for electronic transaction, touch on many of the points put forward in the NIS Directive. All relevant stakeholders must ensure coordination between these three important pieces of legislation, in particular in areas such as data protection provisions, breach notifications, auditing, liability and reporting. A lack of harmonization across these initiatives could potentially result in conflicting requirements which in turn could lead to a less secure cyber ecosystem, both within the EU and globally.
Some of these challenges notwithstanding, we welcome substantial progress that has been made in particular with regards to the development of the NIS Directive. Success in cybersecurity depends on committing to risk management. By focusing on the protection of the Europe’s most critical services and assets, leaders in the European Parliament have signaled a commitment to risk management approach and framework intended to support on collaboration and accountability. For example, recently proposed changes now provide the opportunity for the private sector to participate in the planned NIS cooperation network which would allow for sharing of best practices and strategic analysis.
Other parts of the draft NIS Directive could still benefit from additional clarity, including how national competent authorities (NCAs) or single points of contact will in fact interact with one another and what information they will share; similarly, greater emphasis on the role of international standards and recognized certification agreements would be a welcome step forward.
Last but not least, it is important to note the progress already made on cybersecurity at the Member State level over the past year. Close to half of the EU Member States have (re-)committed to strengthening their cybersecurity efforts, either through work on national cybersecurity strategies, as envisioned in the European Commission proposals, or through efforts aimed at capacity building and greater cooperation, as seen by the BeNeLux countries, Germany, Poland, and the United Kingdom. It is important that these commitments translate into concrete actions that reconcile both security and privacy while striving for maximum harmonization. The European Union has an incredible opportunity to become a policy leader in cybersecurity and we should all work to support this effort.
Harmonization is important beyond Europe. Last week, the United States released a Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). This Framework was developed over the past 12 months through a collaborative public-private process led by the National Institute of Standards and Technology (NIST). This is an important step in the broader development of cybersecurity public policy, and the first time that the public and private sectors have agreed to a common Framework for approaching cybersecurity. You can read more about this in Scott Charney’s recent blog post which discusses the Framework and it reliance on internationally accepted standards. In Europe, the NIS Platform can benefit from leveraging commonly accepted international risk management standards and building on the lessons learned from the US efforts.